I'm interested in capturing my own WEP and WPA association and authentication traffic so I can study and then understand it. I set up two laptops, one running BT3 live CD and the other Windows XP with a Netgear WG511T PCMCIA wireless card.

I managed to get the capturing laptop configured and authenticated to my wireless router (WPA). I also got my second laptop authenticated but didn't see any of the association/authentication packets when I ran Wireshark in BT3. I set the capturing laptop wireless in promiscuous mode. This is Intel PRO/Wireless 2200BG.

I ran the test again but didn't authenticate my capturing laptop first. It didn't make any difference as I didn't see any traffic when the second laptop authenticated.

Finally, I captured traffic when the capturing laptop authenticated. All I saw were a series of EAPOL frames. There were no beacons, probes or frames containing the SSID. I have seen a pcap file of the authentication process so I know that these additional frames should be present.

I just wonder if my Intel Wireless card isn't playing nicely with Wireshark. Any tips? I hasten to add that this is for my own education, rather than illicit activity in a coffee shop (etc.)!

Last edited by Ignatius on Sun Sep 27, 2009 1:30 pm, edited 1 time in total.

I am making some assumptions because I am not quite clear as to what is connected to what in your configuration. I am assuming that the Intel 2200 BG is card is in the laptop that is running BT3. You are trying to capture authentication traffic from the Windows box to the AP from the BT3 box. If this is incorrect, please let us know.

It could be a driver issue with the Intel cards related to promiscuous mode. I have had nothing but trouble with them. I would try using BT4 Pre Release. I have much better results with wireless in BT4 than BT3. Which driver is the card using? (lspci -k and look for the kernel module).

I'll see if I can get BT4 to work. I suppose my alternative is to get a USB or PCMCIA wireless card which will work. I'm based in the UK so would prefer to get something here, rather than have to order from the US (with additional shipping charges).

Last edited by Ignatius on Mon Sep 28, 2009 5:03 am, edited 1 time in total.

I'm not even able to get connected to my wireless (WPA) card connected now though! I'll get back into BT3, copy the entire wpa_supplicant.conf file and try that in BT4.

Unfortunately, the older laptop (the one with the PCMCIA card) won't run BT. It was designed for W98 (yes, that old) and has 128MB RAM. I'll try the PCMCIA card in the newer laptop though to see if it will pick up traffic from my wireless router.

BTW, do you have any recommendations for wireless cards (USB or PCMCIA) which will "play" with BT without any hassle? I'm keen to capture the traffic so I can understand the authentication process.

Here is a list of wireless cards that are supported by BT and any associated issues. I use a Belkin USB stick that supports injection. Like just about anything there are only a few supported versions, and some work better than others. I bought mine because it cost me $25 US.

The card appears to be using the correct driver, ipw2200. I think that the wpa supplicant file should help with the association issue. However, you don't have to associate to capture wireless traffic. Have you tried running Wireshark yet on BT4? Do you get anything?

Having got BT4 working, I tried connecting to my wireless router and could when I used the connection manager so it appears that the driver is correct but I still need to get the wpa_supplicant.conf file sorted. I set up the second laptop and got it to associate too but nothing was picked up by Wireshark. This is despite whether it was associated or not and whether it was in promiscuous mode or not.

I'll look into getting a second card from the list that you linked. I just wonder if it's a problem of my configuration of Wireshark so I might ask on their forum. I ran Kismet in BT3 (whilst not associated) and it picked up my home network, as expected, without any problems.

Hmm, this is a strange one. Try tcpdump instead of wireshark to see if there are any issues with the software config. You can also run airmon-ng to start the wifi card in promiscuous mode to make sure it is actually going into the mode.

I've been pulling my hair out. I managed to get a second Netgear WG511T PCMCIA card and all the research that I did led me to believe that it *should* work to collect management frames. I looked into airmon-ng and issued:

ifconfig wlan0 downairmon-ng start wlan0

which created a new entry in ifconfig -a (mon0)

I started Wireshark and collected using mon0. Lo and behold, there were beacons and probes! I switched back to my original WG511T card and it didn't work so I guess it's been a combination of a faulty card and the lack of my using airmon-ng. Before you (Ketchup) mentioned this, I assumed that I could change the mode of the card from within Wireshark.

As a non-Linux user, it's been a steep learning curve ... but one which has made me more determined to learn more!

Thanks alucian. I'm using a live BT4 CD and I'm considering using an old laptop (within the HCL) to load BT4. I know that I can take an image to restore the laptop should I make any major configuration errors. I'm pleased that I have a card and appropriate commands which will allow me to collect the traffic that I'll need to learn about the association and authentication process.